/* Copyright (c) Edgeless Systems GmbH SPDX-License-Identifier: AGPL-3.0-only */ package azureshared import ( "net/url" "testing" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/goleak" ) func TestMain(m *testing.M) { goleak.VerifyTestMain(m) } func TestApplicationCredentialsFromURI(t *testing.T) { creds := ApplicationCredentials{ TenantID: "tenant-id", AppClientID: "client-id", ClientSecretValue: "client-secret", Location: "location", UamiResourceID: "subscriptions/9b352db0-82af-408c-a02c-36fbffbf7015/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UAMIName", PreferredAuthMethod: AuthMethodServicePrincipal, } credsWithoutSecret := ApplicationCredentials{ TenantID: "tenant-id", Location: "location", UamiResourceID: "subscriptions/9b352db0-82af-408c-a02c-36fbffbf7015/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UAMIName", PreferredAuthMethod: AuthMethodUserAssignedIdentity, } credsWithoutPreferrredAuthMethod := ApplicationCredentials{ TenantID: "tenant-id", AppClientID: "client-id", ClientSecretValue: "client-secret", Location: "location", } testCases := map[string]struct { cloudServiceAccountURI string wantCreds ApplicationCredentials wantErr bool }{ "getApplicationCredentials works": { cloudServiceAccountURI: "serviceaccount://azure?tenant_id=tenant-id&client_id=client-id&client_secret=client-secret&location=location&preferred_auth_method=serviceprincipal&uami_resource_id=subscriptions%2F9b352db0-82af-408c-a02c-36fbffbf7015%2FresourceGroups%2FresourceGroupName%2Fproviders%2FMicrosoft.ManagedIdentity%2FuserAssignedIdentities%2FUAMIName", wantCreds: creds, }, "can parse URI without app registration / secret": { cloudServiceAccountURI: "serviceaccount://azure?tenant_id=tenant-id&location=location&preferred_auth_method=userassignedidentity&uami_resource_id=subscriptions%2F9b352db0-82af-408c-a02c-36fbffbf7015%2FresourceGroups%2FresourceGroupName%2Fproviders%2FMicrosoft.ManagedIdentity%2FuserAssignedIdentities%2FUAMIName", wantCreds: credsWithoutSecret, }, "can parse URI without preferred auth method": { cloudServiceAccountURI: "serviceaccount://azure?tenant_id=tenant-id&client_id=client-id&client_secret=client-secret&location=location", wantCreds: credsWithoutPreferrredAuthMethod, }, "invalid URI fails": { cloudServiceAccountURI: "\x00", wantErr: true, }, "incorrect URI scheme fails": { cloudServiceAccountURI: "invalid", wantErr: true, }, "incorrect URI host fails": { cloudServiceAccountURI: "serviceaccount://incorrect", wantErr: true, }, } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) require := require.New(t) creds, err := ApplicationCredentialsFromURI(tc.cloudServiceAccountURI) if tc.wantErr { assert.Error(err) return } require.NoError(err) assert.Equal(tc.wantCreds, creds) }) } } func TestToCloudServiceAccountURI(t *testing.T) { testCases := map[string]struct { credentials ApplicationCredentials wantURLValues url.Values }{ "client id and secret without preferred auth method": { credentials: ApplicationCredentials{ TenantID: "tenant-id", AppClientID: "client-id", ClientSecretValue: "client-secret", Location: "location", }, wantURLValues: url.Values{ "tenant_id": []string{"tenant-id"}, "client_id": []string{"client-id"}, "client_secret": []string{"client-secret"}, "location": []string{"location"}, }, }, "client id and secret with preferred auth method": { credentials: ApplicationCredentials{ TenantID: "tenant-id", AppClientID: "client-id", ClientSecretValue: "client-secret", Location: "location", PreferredAuthMethod: AuthMethodServicePrincipal, }, wantURLValues: url.Values{ "tenant_id": []string{"tenant-id"}, "client_id": []string{"client-id"}, "client_secret": []string{"client-secret"}, "location": []string{"location"}, "preferred_auth_method": []string{"ServicePrincipal"}, }, }, "only preferred auth method": { credentials: ApplicationCredentials{ TenantID: "tenant-id", Location: "location", PreferredAuthMethod: AuthMethodUserAssignedIdentity, }, wantURLValues: url.Values{ "tenant_id": []string{"tenant-id"}, "location": []string{"location"}, "preferred_auth_method": []string{"UserAssignedIdentity"}, }, }, } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) require := require.New(t) cloudServiceAccountURI := tc.credentials.ToCloudServiceAccountURI() uri, err := url.Parse(cloudServiceAccountURI) require.NoError(err) query := uri.Query() assert.Equal("serviceaccount", uri.Scheme) assert.Equal("azure", uri.Host) assert.Equal(tc.wantURLValues, query) }) } }